问题
How do I change the key pair for my ec2 instance in AWS management console? I can stop the instance, I can create new key pair, but I don\'t see any link to modify the instance\'s key pair.
回答1:
This answer is useful in the case you no longer have SSH access to the existing server (i.e. you lost your private key).
If you still have SSH access, please use one of the answers below.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#replacing-lost-key-pair
Here is what I did, thanks to Eric Hammond's blog post:
- Stop the running EC2 instance
- Detach its
/dev/xvda1
volume (let's call it volume A) - see here - Start new t1.micro EC2 instance, using my new key pair. Make sure you create it in the same subnet, otherwise you will have to terminate the instance and create it again. - see here
- Attach volume A to the new micro instance, as
/dev/xvdf
(or/dev/sdf
) SSH to the new micro instance and mount volume A to
/mnt/tmp
$ sudo mount /dev/xvdf1 /mnt/tmp
Copy
~/.ssh/authorized_keys
to/mnt/tmp/home/ubuntu/.ssh/authorized_keys
- Logout
- Terminate micro instance
- Detach volume A from it
- Attach volume A back to the main instance as
/dev/xvda
- Start the main instance
- Login as before, using your new
.pem
file
That's it.
回答2:
Once an instance has been started, there is no way to change the keypair associated with the instance at a meta data level, but you can change what ssh key you use to connect to the instance.
There is a startup process on most AMIs that downloads the public ssh key and installs it in a .ssh/authorized_keys file so that you can ssh in as that user using the corresponding private ssh key.
If you want to change what ssh key you use to access an instance, you will want to edit the authorized_keys file on the instance itself and convert to your new ssh public key.
The authorized_keys file is under the .ssh subdirectory under the home directory of the user you are logging in as. Depending on the AMI you are running, it might be in one of:
/home/ec2-user/.ssh/authorized_keys
/home/ubuntu/.ssh/authorized_keys
/root/.ssh/authorized_keys
After editing an authorized_keys file, always use a different terminal to confirm that you are able to ssh in to the instance before you disconnect from the session you are using to edit the file. You don't want to make a mistake and lock yourself out of the instance entirely.
While you're thinking about ssh keypairs on EC2, I recommend uploading your own personal ssh public key to EC2 instead of having Amazon generate the keypair for you.
Here's an article I wrote about this:
Uploading Personal ssh Keys to Amazon EC2
http://alestic.com/2010/10/ec2-ssh-keys
This would only apply to new instances you run.
回答3:
Run this command after you download your AWS pem.
ssh-keygen -f YOURKEY.pem -y
Then dump the output into authorized_keys
.
Or copy pem file to your AWS instance and execute following commands
chmod 600 YOURKEY.pem
and then
ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys
回答4:
Instruction from AWS EC2 support:
- Change pem login
- go to your EC2 Console
- Under NETWORK & SECURITY, click on Key Pair Click on Create Key Pair
- Give your new key pair a name, save the .pem file. The name of the key pair will be used to connect to your instance
- Create SSH connection to your instance and keep it open
- in PuttyGen, click "Load" to load your .pem file
- Keep the SSH-2 RSA radio button checked. Click on "Save private key" You'll get pop-up window warning, click "Yes”
- click on "Save public key" as well, so to generate the public key. This is the public key that we're going to copy across to your current instance
- Save the public key with the new key pair name and with the extension .pub
- Open the public key content in a notepad
- copy the content below "Comment: "imported-openssh-key" and before
"---- END SSH2 PUBLIC KEY ----
Note - you need to copy the content as one line - delete all new lines - on your connected instance, open your authorized_keys file using the tool vi. Run the following command: vi .ssh/authorized_keys you should see the original public key in the file also
- move your cursor on the file to the end of your first public key content :type "i" for insert
- on the new line, type "ssh-rsa" and add a space before you paste the content of the public key , space, and the name of the .pem file (without the .pem) Note - you should get a line with the same format as the previous line
- press the Esc key, and then type :wq!
this will save the updated authorized_keys file
now try open a new SSH session to your instance using your new key pai
When you've confirmed you're able to SSH into the instance using the new key pair, u can vi .ssh/authorized_key and delete the old key.
Answer to Shaggie remark:
If you are unable to connect to the instance (e.g. key is corrupted) than use the AWS console to detach the volume (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html) and reattach it to working instance, than change the key on the volume and reattach it back to the previous instance.
回答5:
I noticed that when managed by Elastic Beanstalk, you can change your active EC2 key pair. Under Elastic Beanstalk > Configuration > Security, choose the new key from the EC2 key pair drop-down. You'll see this message asking if you're sure:
EC2KeyName: Changes to option EC2KeyName settings will not take effect immediately. Each of your existing EC2 instances will be replaced and your new settings will take effect then.
My instance was already terminated when I did this. It then started, terminated, and started again. Apparently "replacing" means terminating and creating a new instance. If you've modified your boot volume, create an AMI first, then specify that AMI in the same Elastic Beanstalk > Configuration > Instances form as the Custom AMI ID. This also warns about replacing the EC2 instances.
After you've modified your EC2 key pair and Custom AMI ID, and after seeing warnings about both, click Save to continue.
Remember that the IP address changes when the instance is re-created so you'll need to retrieve a new IP address from the EC2 console to use when connecting via SSH.
回答6:
I went through this approach, and after some time, was able to make it work. The lack of actual commands made it tough, but I figured it out. HOWEVER - much easier approach was found and tested shortly after:
- Save your instance as an AMI (reboot or not, I suggest reboot). This will only work if EBS backed.
- Then, simply start an instance from this AMI and assign your new Keyfile.
- Move over your elastic IP (if applicable) to your new instance, and you are done.
回答7:
If below steps are followed it will save lot of time and there will be no need to stop the running instance.
- Start new t1.micro EC2 instance, using new key pair. Make sure you create it in the same subnet, otherwise you will have to terminate the instance and create it again.
- SSH to the new micro instance and copy content of ~/.ssh/authorized_keys somewhere on your computer.
- Login to main instance with old ssh key.
- Copy & replace the file content from point 2 to ~/.ssh/authorized_keys
- Now you can login again only with new key. Old key will not work anymore.
That is it. Enjoy :)
回答8:
I believe the simpliest aproach is to :
- Create AMI image of existing instance.
- Launch new EC2 instance using AMI image (crated by step 1) with new key pair.
- Login to new EC2 instance with new key.
回答9:
In case you are using ElasticBeanstalk platform, you can change the keys by going:
- Elastic Beanstalk panel
- Configuration
- Instances (cog top-right)
- EC2 key pair
This will terminate current instance and creates new one with chosen keys/settings.
回答10:
The simplest solution is to copy the contents of
~/.ssh/id_rsa.pub
into your AWS instance's authorized_keys at
~/.ssh/authorized_keys
This will allow you to ssh into the EC2 instance without specifying a pem file for the ssh command. You can remove all other keys once you've tested connecting to it.
If you need to create a new key to share it with someone else, you can do that with:
ssh-keygen -t rsa
which will create the private key.pem file, and you can get the public key of that with:
ssh-keygen -f private_key.pem -y > public_key.pub
Anyone who has private_key.pem will be able to connect with
ssh user@host.com -i private_key.pem
回答11:
I have tried below steps and it worked without stopping the instance. My requirement was - as I have changed my client machine, the old .pem file was not allowing me to log in to the ec2 instance.
- Log in to the ec2 instance using your old .pem file from the old machine. Open ~/.ssh/authorized_keys
You will see your old keys in that file.
ssh-keygen -f YOUR_PEM_FILE.pem -y It will generate a key. Append the key to ~/.ssh/authorized_keys opened in step#1. No need to delete the old key.
From AWS console, create a new key pair. Store it in your new machine. Rename it to the old pem file - reason is old pem file is still associated with the ec2 instance in AWS.
All done.
I am able to log in to the AWS ec2 from my new client machine.
回答12:
You have several options to replace the key of your EC2 instance.
- You can replace the key manually in the .ssh/authorized_keys file. However this requires you to have actually access to the instance or the volume if this is unencrypted.
- You can use the AWS Systems Manager. This requires to have an agent installed.
Since the first option can be found easily in the answers or at the search engine of your choice, I want to focus on the Systems Manager.
- Open the Service
Systems Manager
- Click on
Automation
on the left side. - Click on
Execute Automation
- Select
AWSSupport-TroubleshootSSH
(usually it is on the last page)
You can find more information on the Official AWS Documentation
回答13:
You don't need to rotate root device and change the SSH Public Key in authorized_keys
. For that can utilize userdata to add you ssh keys to any instance. For that first you need to create a new KeyPair using AWS console or through ssh-keygen.
ssh-keygen -f YOURKEY.pem -y
This will generate public key for your new SSH KeyPair, copy this public key and use it in below script.
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
/bin/echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6xigPPA/BAjDPJFflqNuJt5QY5IBeBwkVoow/uBJ8Rorke/GT4KMHJ3Ap2HjsvjYrkQaKANFDfqrizCmb5PfAovUjojvU1M8jYcjkwPG6hIcAXrD5yXdNcZkE7hGK4qf2BRY57E3s25Ay3zKjvdMaTplbJ4yfM0UAccmhKw/SmH0osFhkvQp/wVDzo0PyLErnuLQ5UoMAIYI6TUpOjmTOX9OI/k/zUHOKjHNJ1cFBdpnLTLdsUbvIJbmJ6oxjSrOSTuc5mk7M8HHOJQ9JITGb5LvJgJ9Bcd8gayTXo58BukbkwAX7WsqCmac4OXMNoMOpZ1Cj6BVOOjhluOgYZbLr" >> /home/hardeep/.ssh/authorized_keys
--//
After the restart the machine will be having the specified SSH publch key. Remove the userdata after first restart. Read more about userdata on startup.
回答14:
Yegor256's answer worked for me, but I thought I would just add some comments to help out those who are not so good at mounting drives(like me!):
Amazon gives you a choice of what you want to name the volume when you attach it. You have use a name in the range from /dev/sda - /dev/sdp The newer versions of Ubuntu will then rename what you put in there to /dev/xvd(x) or something to that effect.
So for me, I chose /dev/sdp as name the mount name in AWS, then I logged into the server, and discovered that Ubuntu had renamed my volume to /dev/xvdp1). I then had to mount the drive - for me I had to do it like this:
mount -t ext4 xvdp1 /mnt/tmp
After jumping through all those hoops I could access my files at /mnt/tmp
回答15:
This will work only if you have access to the instance you want to change/add the key in. You can create a new key pair. Or if you already have the key pair, then you can paste the public key of the new pair in the authorized_keys file on your instance.
vim .ssh/authorized_keys
Now you can use the private key for that pair and log in.
Hope this helps.
回答16:
My issue was , I tried with IP
rather than public DNS
. Then i tried with public DNS
and its resolved
回答17:
if you are unable to login in VM and deleted your ssh key's and you can also change the key pair of your ec2 using below steps. Go step by step 1) stop your ec2 instance. 2)take a snapshot of VM and storage. 3)create a new VM while creating it select your snapshot and create VM from your Snapshot. 4) while the creation of VM downloads your keypair. 5) once your VM UP you can ssh with a new key pair and your data will also back.
来源:https://stackoverflow.com/questions/7881469/change-key-pair-for-ec2-instance